New Stealthier ZLoader Variant Spreading Via Fake TeamViewer Download Ads (14th September 2021)

Ref# AL2021_27 | Date: Sep 16th 2021

Users probing for TeamViewer remote desktop software on search engines such as Google are being redirected to malicious links that place the ZLoader malware onto their systems while at the same time embracing a hidden infection chain that allows them to stay on infected devices and avoid by security solutions.


The malware is downloaded from a Google ad published through Google Adwords, SentinelOne researchers acknowledge, in a report recently published. To execute this attack, the attackers use an indirect way to compromise victims instead of using the typical approach of compromising the victims directly, such as by phishing.

How it works

The attack vector was first discovered in 2016, Zloader (aka Silent Night and Zbot) is a fully-featured banking trojan and a part of another banking malware called Zeus, with newer versions enacting a VNC component that grants adversaries remote access to victim systems. The malware is an active phenomenon, with malicious actors generating an array of variants in recent years, no less fueled by the leak of ZeuS source code in 2011.

The attack is noteworthy because of the measures it takes to stay in stealth mode, including running a series of commands to hide its malicious activity by disabling Windows Defender. The infected string commences when a user clicks on an ad shown by Google on the search results page and is redirected to the counterfeit TeamViewer site under the attackers control, whereby tricking the victim into downloading a rogue but signed version of the software (Team-Viewer.msi). The fake assembler acts as the first stage dropper to trigger a series of actions that involve downloading next stage droppers aimed at impairing the defences of the machine and finally downloading the payload (ZLoader DLL).

SentinelOne Senior Threat Intelligence Researcher Antonio Pirozzi also observed that the malware disables all the Windows Defender modules through the PowerShell cmdlet Set MpPreference, also adds exclusions, such as regsvr32, exe, .dll, with the cmdlet Add-MpPreference to conceal all the components of the malware from Windows Defender.

For further information on this vulnerability, kindly follow this URL: comes-with-improved-stealth-and-evasion-mechanisms/


At this moment, there is no patch available for this kind of vulnerability. However, the Guyana National CIRT recommends users implementing several security measures, listed below.

  • Look for the secure connection symbol when opening a website, look for the padlock symbol to the left of the address bar. This shows that your connection is secure.

  • Patching if youre an IT administrator, ensure your DNS server is up to date with the latest security patch.

  • End-User Education PC users should receive frequent training on how to identify suspicious sites and not to click the the ignore button if they receive a Secure Socket Layer (SSL) warning before connecting to a site.

    The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

    PDF Download: New Stealthier ZLoader Variant Spreading Via Fake TeamViewer Download Ads.pdf

  • References